CVE-2016-4868

Email header injection vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows remote attackers to inject arbitrary email headers to send unintended emails via specially crafted requests.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://jvn.jp/en/jp/JVN08736331/index.html	Third Party Advisory VDB Entry
http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000190.html	Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/97713	Third Party Advisory VDB Entry
https://support.cybozu.com/ja-jp/article/9433	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cybozu:office:9.0:::::::*
	cpe:2.3:a:cybozu:office:9.1.0:::::::*
	cpe:2.3:a:cybozu:office:9.2.0:::::::*
	cpe:2.3:a:cybozu:office:9.2.1:::::::*
	cpe:2.3:a:cybozu:office:9.3.0:::::::*
	cpe:2.3:a:cybozu:office:9.3.1:::::::*
	cpe:2.3:a:cybozu:office:9.3.2:::::::*
	cpe:2.3:a:cybozu:office:9.9.0:::::::*
	cpe:2.3:a:cybozu:office:10.0.0:::::::*
	cpe:2.3:a:cybozu:office:10.0.1:::::::*
	cpe:2.3:a:cybozu:office:10.0.2:::::::*
	cpe:2.3:a:cybozu:office:10.1.0:::::::*
	cpe:2.3:a:cybozu:office:10.1.2:::::::*
	cpe:2.3:a:cybozu:office:10.2.0:::::::*
	cpe:2.3:a:cybozu:office:10.3.0:::::::*
	cpe:2.3:a:cybozu:office:10.4.0:::::::*

History

No history.

Information

Published : 2017-04-17 15:59

Updated : 2024-02-04 19:11

NVD link : CVE-2016-4868

Mitre link : CVE-2016-4868

CVE.ORG link : CVE-2016-4868

JSON object : View

Products Affected

cybozu

office

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2016-4868", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2017-04-17T15:59:00.277", "references": [{"url": "http://jvn.jp/en/jp/JVN08736331/index.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "vultures@jpcert.or.jp"}, {"url": "http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000190.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "vultures@jpcert.or.jp"}, {"url": "http://www.securityfocus.com/bid/97713", "tags": ["Third Party Advisory", "VDB Entry"], "source": "vultures@jpcert.or.jp"}, {"url": "https://support.cybozu.com/ja-jp/article/9433", "tags": ["Vendor Advisory"], "source": "vultures@jpcert.or.jp"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Email header injection vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows remote attackers to inject arbitrary email headers to send unintended emails via specially crafted requests."}, {"lang": "es", "value": "Una vulnerabilidad de la inyecci\u00f3n de encabezado de correo electr\u00f3nico en Cybozu Office versiones 9.0.0 hasta 10.4.0, permite a los atacantes remotos inyectar encabezados de correo electr\u00f3nico arbitrarios para enviar correos electr\u00f3nicos no previstos por medio de peticiones especialmente dise\u00f1adas."}], "lastModified": "2017-05-23T01:29:02.083", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cybozu:office:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B029709C-5ED7-4F29-8DA9-AFF9D678429F"}, {"criteria": "cpe:2.3:a:cybozu:office:9.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9AE0F63-8DD1-4F61-B772-E4F64197A73F"}, {"criteria": "cpe:2.3:a:cybozu:office:9.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27E1F1BC-4FF8-4438-92C2-5094F18BAB27"}, {"criteria": "cpe:2.3:a:cybozu:office:9.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C71A2292-BEEF-4449-992C-B8535E0EF969"}, {"criteria": "cpe:2.3:a:cybozu:office:9.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4B07F75-4F29-4241-9C5A-F723EAFCFC49"}, {"criteria": "cpe:2.3:a:cybozu:office:9.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7ADEDCD4-8794-42A3-961A-9CE562BF64CA"}, {"criteria": "cpe:2.3:a:cybozu:office:9.3.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3CF1B981-0417-430F-9BB3-7292D297557E"}, {"criteria": "cpe:2.3:a:cybozu:office:9.9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59BDE89C-C891-4517-877D-26B5E4D87E0B"}, {"criteria": "cpe:2.3:a:cybozu:office:10.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F02CF334-548D-4B9B-8732-A85D97E003C5"}, {"criteria": "cpe:2.3:a:cybozu:office:10.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A968E493-5C74-45FB-BA4E-C21D66613480"}, {"criteria": "cpe:2.3:a:cybozu:office:10.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89D06E58-28D5-43E9-87CD-9534DF3CA6DA"}, {"criteria": "cpe:2.3:a:cybozu:office:10.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A86DD19B-9DD2-412D-B259-9D2677C9CC0B"}, {"criteria": "cpe:2.3:a:cybozu:office:10.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1EE0A58F-3DAF-4E88-A7CC-E1FE749EB6A2"}, {"criteria": "cpe:2.3:a:cybozu:office:10.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BF85C6A-952B-4327-98EF-BB72CA6AA5CE"}, {"criteria": "cpe:2.3:a:cybozu:office:10.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "664B383F-3C96-406C-B0B9-041F26F1F5A9"}, {"criteria": "cpe:2.3:a:cybozu:office:10.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BBA465B8-3852-4630-B16C-120F77DB1F8C"}], "operator": "OR"}]}], "sourceIdentifier": "vultures@jpcert.or.jp"}